Skip to main content

The dubiousness of digitized signature services

Notice I referred to "digitized" instead of digital, this is a very important distinction. These services essentially offer ways to transport handwritten scribbles into digital processes. They can be anything from attaching a Microsoft paint scribble or a scan of one written on a piece of paper, to custom font generation that makes  your signature look like you are a former president of the united states.

I wont mention any such services by name but if you've purchased a house or engaged in any sort of contract paperwork activity (leases..etc) you have likely encountered these services. Last I checked, one of these companies is worth north of $40B, no doubt reflecting the size of the market for such services.


First, what is the purpose of any signature? as the name suggests, it is primarily to ascribe provenance to something, be it an abstract thing such as a legal agreement expressed in writing or a physical object such as a painting. We also use the notion of signature to refer to a manifestation that serves as a tell-tale sign of some fact (or the truthfulness thereof) without necessarily observing the actual manifestation of the fact itself.

What is the purpose of signing a paper then? Well, it is suppose to first, attest to the fact that the entity whose identity is associated with the document is consenting to whatever it is that the paper implies. Second, your scribbles are supposed to be unique, such that someone could not forge them and fool others into accepting an agreement that the identified entity is in fact not a party to.


Hand written signatures even in the days of king Henry were more of an intellectual pretense than an effective mechanism for genuine projection of trust. That they have persisted into the 21st century is more than distressing.

We now have even the democratic franchise of voting citizens tethered to matching variations of such scribbles. My handwritten signature varies based on what I had for breakfast, so the idea that anyone would want to judge the authenticity of any document based on it would be hilarious if it weren't such a serious matter.

The entire edifice of affixing handwritten scribbles (or their digital imitations) to documents is quite mindless if the aim of signatures as described above is to be achieved.


Obviously the need for entities to affirmatively agree to conditions and to have that recorded in a way that is tamper-proof and indisputable has not gone away. However, given the purpose of signatures, it is clear that scribbles on paper or their digitized cousins are certainly not an answer. At best one can consider these services as ceremonial, in as far as they facilitate the continuation of the pre-digital processes that demand handwritten signatures.


What then is the solution to signatures in the digital era? The answer is simple and well understood (hard to believe perhaps), PKI certificates. Given that Certisfy is about leveraging PKI for trust on the internet, this is a self-serving answer but it is also a true answer.

A digital signature (not a digitized one) of a document, along with the certificate whose private key was used to generate such a signature is all that is needed to achieve the intended goal of handwritten signatures.

From a purely technical requirement perspective, you would need to add no more than two new entries to your data model to support this, a field to store the cryptographic signature and a field to store the cryptographic certificate-chain that can verify that signature. If a dispute were to emerge a century from now, you wouldn't need to hire medieval forensic experts to authenticate the document, you would simply run the signature and document through the appropriate cryptographic verification function to authenticate it.

There are of course legitimate arguments to make against PKI (some favor blockchain contracts..etc), but when the alternative is handwritten scribbles, such arguments diminish towards meaninglessness.

Comments

Post a Comment

Popular posts from this blog

From a secrecy model of information security to a usage authentication model

We continue to be plagued by data breaches, password and credit card dumps, healthcare records...etc. One of the reasons many of these breaches continue to be devastating and effective for cyber criminals is because our current information use infrastructure/architecture relies on secrecy as the primary mode for preventing the misuse of information. Secrecy simply means only the people who have the right to use a bit of information have access to it, when that assumption breaks down as it does with data breaches, the related information can lose some or all its value. For instance a compromised credit/debit card number means getting a new number. A compromised password database means changing the passwords...etc Secrecy has its use as a privacy preserving mechanism but is fairly flawed as an information usage authentication mechanism. The idea of secrecy as the mechanism for controlling the use of information is deeply ingrained, so much so that even people who should know better often
Post a Comment
Read more

Making Internet Information Trust An Inexpensive Commodity

  Certisfy is a service that makes internet information trust a commodity. Think of all the services that entrepreneurs could create if it was easy and inexpensive to integrate information trust without first having a billion people sign-up to build organic trust or loads of VC money. Want to test drive? If you have a website, we can issue you a free sample certificate for personal use!!...Contact us via the info on the sticker above, we'll hand you a code to put on your site (domain validation!!) then issue you a cert once validated. Each certificate comes with the ability to create a free sticker that is good for a month or less; if you want longer lived stickers you'll need to get a payment method certificate and use that to pay for it. Let us know if there are questions!!
Post a Comment
Read more